Microsoft BitLocker Administration and Monitoring

Windows BitLocker Drive Encryption offers volume-level data encryption for data stored on Windows client and server platforms. BitLocker protects that data when the Windows systems are offline (i.e., when the OS is shut down) and can prevent data breaches such as the theft of confidential data on laptop computers.

The first version of BitLocker, which shipped with Windows Server 2008 and Windows Vista, protected only one volume: the OS drive. In Server 2008 and Vista SP1, Microsoft added support for BitLocker protection of different volumes, including local data volumes. In Server 2008 R2 and Windows 7, Microsoft added BitLocker support for removable data volumes-memory sticks and external data drives-a feature that Microsoft refers to as BitLocker To Go.

BitLocker is a valuable security add-on to the Windows OS. BitLocker can help organizations to save money because they don't need to invest in special third-party disk-encryption software. But organizations are often reluctant to implement BitLocker because of its deployment and management complexity.

To tackle these issues, Microsoft has released Microsoft BitLocker Administration and Monitoring (MBAM), part of the Microsoft Desktop Optimization Pack (MDOP). This article provides an overview of MBAM and its architecture and explains how the tool can ease BitLocker deployment and management pains by providing better provisioning, recovery, and reporting capabilities.

MBAM Architecture

MBAM is a client/server application that consists of the MBAM client agent and a set of MBAM server components. Microsoft currently (at press time) provides 32-bit and 64-bit versions of the MBAM client for the Windows 7 platform only. The MBAM client agent enforces BitLocker settings on Windows 7 clients; gathers BitLocker recovery passwords and compliance and configuration data; and forwards this data to the central MBAM server.

The 64-bit MBAM server consists of five components that can be hosted on one server or spread across servers:

the administration and monitoring server

the compliance and audit database

the recovery and hardware database

the compliance and audit report templates

the MBAM Group Policy Object (GPO) template

The MBAM server installation wizard lets you select which components you want to install on which machine, as Figure 1 shows. Microsoft recommends using a three- or five-computer configuration when deploying MBAM in your production environment. With the five-machine configuration option, each MBAM component is deployed on a different machine. In the three-machine configuration option, the recovery and hardware database, the compliance and audit database, and the compliance and audit reports components are co-located on one server.

The MBAM administration and monitoring server component hosts the web-based management console and data collection web services. The component builds on the Server 2008 IIS Web Server role. Administrators use the management console to generate reports, check client BitLocker compliance status, and access BitLocker recovery passwords. When you install the MBAM administration and monitoring server, you'll notice that it automatically adds five MBAM-specific security groups to Active Directory (AD). You can use these groups to fine-tune MBAM administrative delegation.

As an optional subcomponent of the administration and monitoring server, you can install the MBAM hardware capability manager. This subcomponent allows the MBAM administrator to define which client hardware types can run BitLocker and should be centrally controlled through the MBAM BitLocker GPO. After the hardware capability manager is enabled, all MBAM clients use its centrally defined hardware capability list to determine whether the client computer can support BitLocker. The MBAM clients then pass this information to the central MBAM reporting server.

The MBAM administration and monitoring server component links to two Microsoft SQL Server databases: a compliance and audit database, and a recovery and hardware database. The compliance and audit database stores the BitLocker compliance data of all MBAM-enabled client computers. The recovery and hardware database stores the BitLocker recovery passwords. Both databases require different SQL Server 2008 R2 database instances that can be co-located on a single SQL Server 2008 R2 machine (as in the three-machine MBAM configuration option).

The MBAM server also includes a set of compliance and audit report templates that can be used in conjunction with SQL Server Reporting Services (SSRS). Compliance and audit reports can be accessed from the web-based MBAM management console or directly from the SSRS server.

Last but not least, the MBAM server comes with an MBAM GPO template for extending the central control of clients' BitLocker configuration. Administrators can leverage this template (an *.admx file) from the Group Policy Management Console (GPMC) or the Advanced Group Policy Management (AGPM) console.

Easier Provisioning

After you deploy the MBAM server-side infrastructure and enable BitLocker on your Windows 7 clients, using MBAM is a two-step process. First, you must deploy the MBAM client to your user workstations. Then, you must configure the MBAM-specific GPO settings.

The MBAM client is a standard Windows Installer (*.msi) file that you can deploy by using any software-distribution tool. You can leverage the GPO Software Installation feature, System Center Configuration Manager (SCCM) 2007 or 2012, or similar tools.

When the MBAM client is successfully deployed on a Windows 7 client, you'll notice that a new service-the BitLocker Management Client Service-is set to automatically start in the system's Services list. The Control Panel also holds a new applet, Windows BitLocker Administration, which lets users check the BitLocker status of their computers' volumes and easily change their BitLocker unlock PIN or password. Windows BitLocker Administration can also be accessed by clicking the corresponding entry from a BitLocker-protected drive's context menu in Windows Explorer.

The MBAM client also enables a new wizard that lets users easily protect their computers by using BitLocker. If the central MBAM GPO specifies that a computer is to be protected by using BitLocker, then the MBAM client prompts the user to enable BitLocker, as Figure 2 shows. When the user agrees to do so, MBAM starts a wizard that walks the user through the encryption process. The wizard can prompt the user for a PIN and can cover Trusted Platform Module (TPM) configuration, depending on the content of the central MBAM GPO.

Another interesting feature of the MBAM client is that it lets standard users initiate BitLocker volume encryption. (Legacy BitLocker requires administrator privileges to do so.)

After you deploy the client agents, you can centrally configure them by using the new MBAM GPO settings. Before you can use these GPO settings, remember that you must have installed the administrative template that's included in the MBAM server installer on your GPO management workstation.

MBAM adds about 20 new BitLocker-related GPO settings in the \Computer Configuration\Administrative Templates\Windows Components\MDOP MBAM (BitLocker Management) GPO container, as Figure 3 shows. Note that this new container is different from the BitLocker Drive Encryption container. The new GPO settings include settings to configure the MBAM client, the addresses of the password recovery and reporting MBAM server components, and the BitLocker encryption rules for fixed, OS, and removable drives.

The previous paragraphs explained how you can use MBAM to provision BitLocker after client computers have been distributed to users. Besides this provisioning method, there's another option for organizations in which new computers are centrally configured before they're distributed to users. In such a situation, you can encrypt each computer before user data is written to it. To do so, use the standard Windows 7 deployment tools.

Simpler Recovery

BitLocker requires a solid recovery strategy and forces the user to define a recovery method during BitLocker setup. These requirements allow users to regain access to their data when the encrypted drive cannot be accessed. On an OS drive, you need a recovery method when users forget their PINs, users lose the USB token that holds the BitLocker startup key, or the TPM registers integrity changes to the system files. For data drives, you need a recovery method when users forget their passwords or lose their smart cards. Also, if a protected data drive is configured for automatic unlocking, you need a recovery method if the auto-unlock key that's stored on the computer is accidently lost (e.g., after a hard disk failure or reinstallation).

A recovery password is a 48-bit numerical password that is generated during BitLocker setup. You can save the recovery password to a file, you can print it, or it can be automatically saved in AD. For more information about BitLocker recovery methods, see the recovery strategy section in "DeployBitLocker in Your Organization the Right Way."

MBAM provides a better alternative to storing the BitLocker recovery password in AD. Organizations seldom want to store BitLocker recovery data in AD because doing so implies that all AD administrators can access the data, indirectly or directly. And in AD, the recovery data is stored in clear text. MBAM stores BitLocker recovery data in a separate and encrypted SQL Server database.

You can access the MBAM password recovery page by navigating to the default MBAM administration and monitoring page from your browser. Then, in the left navigation panel, select Drive Recovery, as Figure 4 illustrates. You must then enter the AD user ID and domain, a reason why the user is asking for the recovery password, and the first eight characters of the recovery password ID. The latter is displayed after the user or Help desk operator reboots the client machine in drive recovery mode. After you click Submit, MBAM retrieves the recovery password from its recovery database. The administrator or Help desk operator can then pass the password to the user, who can enter the password on the client to unlock the computer's drive.

An important detail: MBAM also enables single-use recovery passwords. MBAM automatically resets the recovery password for the drive so that the old password can't be used again. This action can prevent unauthorized users from gaining access to a BitLocker-protected hard drive when they get access to a previously used recovery key.

Better Reporting

Administrators who've struggled with the creation of BitLocker reports on their client machines will certainly welcome MBAM's reporting capabilities. You can use the MBAM reports to quickly determine whether your Windows 7 clients are compliant with your BitLocker policy. For example, when a user laptop that contains corporate data is stolen or lost, MBAM reports let you rapidly determine whether the loss represents a risk: You can use the MBAM compliance report to see whether the user's laptop had BitLocker enabled on its data volumes.

By default, MBAM provides these reports in the MBAM management console:

enterprise compliance report

computer compliance report

hardware audit report

recovery audit report

In addition to these four default reports, you can create custom compliance reports by using SSRS tools.

The enterprise compliance report tells you the BitLocker compliance status of all clients in your organization. It shows which machines are compliant, noncompliant, and exempt from the BitLocker policy. The computer compliance report lets you search by computer or username and shows whether a specific computer or user's computers are compliant with BitLocker policy. When a laptop is lost, you can use this report to quickly determine its BitLocker status. The recovery audit report shows who has accessed or tried to access recovery password information in the MBAM key recovery database. Finally, the hardware audit report indicates who has changed the hardware compatibility list and when the MBAM client discovers new hardware. This report is useful only when you've also installed and use MBAM hardware compatibility checking in your organization.

You can access the default reports by navigating to the default MBAM administration and monitoring page from your browser. In the left navigation panel, select Reports and then the specific report that you want to generate. MBAM displays the resulting report on a web page. You can also save the results in another format (e.g., Word document, Excel spreadsheet). To generate reports, you must be a member of the MBAM Report Users AD group on the server or servers on which the MBAM administration and monitoring server and compliance status database are installed.